1 SSH Tunnel Forwarding
2 =====================
3 :author: Aaron Ball
4 :email: nullspoon@iohq.net
5
6
7 Yesterday, I had an idea that remarkably enough, actually worked (go figure,
8 huh). I have a few friends who use Linux on their desktops but aren't quite
9 Linux gurus (but who am I kidding, neither am I as evidenced by this post).
10 Don't get me wrong of course, I'm super proud to have friends that aren't IT
11 people but use Linux on their desktops. That speaks a lot to the quality of
12 the work the Linux community has produced.
13
14 Despite the whole Linux thing, they still occasionally have issues and call me
15 for help. Most of the time, I just need GUI access to troubleshoot router
16 issues on their side or something like that. Now, telling someone how to port
17 forward and open up firewall ports on a router you don't know just so you can
18 directly connect to their laptop/desktop through ssh can be really painful over
19 the phone most of the time.
20
21
22 [[enter-the-brick-that-hit-me-in-the-head-yesterday...]]
23 == Enter the brick that hit me in the head yesterday...
24
25 I was driving to lunch yesterday and began wondering if it would be possible to
26 have two computers tunnel to a central server on the same port and in essence,
27 forward traffic between the ports. As it turns out, this actually works (!!!),
28 and it's really easy too.
29
30 So, for our example we'll have three computers Me, Nexus, and Douglas (you know
31 who you are). Nexus is our central server that's accepting ssh connections and
32 Douglas is my friend that needs help. It doesn't matter which order these
33 connections need to be made in. Additionally, we're going to assume that our
34 friend's vnc server is set up and listening on 5901.
35
36 First (not really), you need to connect to the central server
37 (nexus.example.com for our example). To do this, open a terminal and type
38
39 ----
40 ssh -L 5901:localhost:5901 me@nexus.example.com
41 ----
42
43 Second (again, not really), our good friend Douglas needs to connect to the
44 nexus as well. To do that, he needs to open a *reverse* tunnel to the nexus
45 using the following command:
46
47 ----
48 ssh -R 5901:localhost:5901 douglas@nexus.example.com
49 ----
50
51 Open your VNC client and connect to localhost:5901 and you should be golden!
52
53 Please take note of the differences in the two commands we just used. The only
54 difference (aside from the usernames) is the switch used for the tunnel. The
55 *-L* establishes a standard tunnel and the *-R* establishes a reverse tunnel,
56 which allows the traffic to be forwarded to another tunnel connected on the
57 same port.
58
59 There is one security issue with this that could potentially cause you grief if
60 you don't own the central server. If you don't own the box exclusively, other
61 users on the box could also connect to the reverse tunnel. If you do own the
62 box though, this shouldn't be an issue for you.
63
64 _Insert clever post ending here_
65
66
67 Category:SSH
68 Category:VNC
69 Category:Linux
70
71
72 // vim: set syntax=asciidoc:
|
